GRCWatch
Sign inStart free trial

PCI DSS 11.1.3: Managing Non-Critical Vulnerabilities

Non-critical vulnerabilities can accumulate into significant security risks if left unmanaged. PCI DSS 11.1.3 requires organizations to establish a systematic approach to identifying, tracking, and remediating all vulnerabilities below the critical and high-risk threshold. This control ensures your vulnerability management program covers the full spectrum of security issues.

What this means

This control requires you to manage all vulnerabilities that don't meet critical or high-risk criteria using a documented vulnerability management policy. While critical and high-risk vulnerabilities demand immediate attention, non-critical vulnerabilities still pose security risks and must be tracked, prioritized, and remediated according to your organization's defined timelines and processes. This prevents vulnerability accumulation and ensures comprehensive coverage of your security posture.

How to comply

  1. 1.Document your vulnerability management policy with clear definitions of vulnerability severity levels and remediation timelines for each category
  2. 2.Establish vulnerability scanning procedures that identify and classify all vulnerabilities, including non-critical ones
  3. 3.Create a tracking system or inventory that logs all non-critical vulnerabilities with discovery dates, affected systems, and remediation status
  4. 4.Define remediation timelines for non-critical vulnerabilities based on risk factors and business impact
  5. 5.Assign ownership and accountability for remediation of non-critical vulnerabilities to system owners or security teams
  6. 6.Conduct regular reviews of non-critical vulnerabilities to ensure timely remediation and prevent status drift
  7. 7.Maintain audit trails documenting when vulnerabilities were identified, remediated, and verified as resolved

Evidence auditors look for

  • Vulnerability management policy document defining severity classifications and remediation timelines
  • Vulnerability scanner reports showing identified non-critical vulnerabilities with timestamps
  • Vulnerability tracking spreadsheet or system with status updates and remediation dates
  • Patch management records proving non-critical vulnerability remediation
  • System access logs showing vulnerability scanning activities across the network
  • Management review meeting minutes discussing vulnerability remediation progress
  • Email communications or tickets documenting vulnerability assignments and resolution

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates vulnerability categorization and tracks non-critical remediation timelines in a single dashboard, eliminating manual spreadsheet management and providing auditors with instant evidence of your vulnerability management policy in action.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.1.1 — Perform Vulnerability ScanningPCI DSS 11.1.2 — Manage Critical VulnerabilitiesPCI DSS 11.2 — Conduct Quarterly Vulnerability ScansPCI DSS 11.3 — Develop a Vulnerability Management Policy